Sony SonicStage CP Vulnerability

Version 4.3 of Sony’s SonicStage CP program has a vulnerability (flaw) that can be exploited for malicious intent. The exploit comes in the form of a playlist received from an external party (website, untrusted friend, etc).

So if you’re using a Sony digital music player and this program on your computer don’t open any playlists you didn’t create yourself, until Sony releases a patch to fix it. Details here.

Downloading Codecs

Should you download new codecs when a website tells you to?

What’s a codec anyway?

Your computer needs video codecs to play videos. And like everything else there are quite a few different codecs to choose from. Your computer came with a set of the most popular codecs so you can watch videos, both online and from DVDs.

There are some websites that encode their videos with unusual codecs then ask you to install a new codec to view it. In particular, some pornographic websites have been tricking people into downloading a new codec. Unfortunately in some cases the codec is a trojan that makes very dangerous changes to your computer (allowing attackers to redirect your web browser to wherever they want).

There’s been a reportof some websites tricking Mac users into installing a bad codec like the one mentioned above. In the past Macs have been considered more safe than Windows computers but as they become more popular they also become targets to malware such as this. This particular attack doesn’t work very well because it asks the user to carry out a number of steps. Over time attackers get more sophisticated so it’s best to learn about it as early as possible.

The lessons to be learnt here are:

• Don’t install anything a website tells you to, unless you completely trust the person or company operating it. Even then you need to be certain of what you’re downloading.
• No computer is safe from malicious attacks, no matter what the ads, salesmen or zealous enthusiasts say.
• Pornographic websites are well known to carry malicious content like viruses and trojans.
• Attackers are creative and always find new ways to distribute viruses

SMS Authentication for Credit Cards

A few banks have recently introduced SMS authentication for their credit cards. Basically they’ll send an SMS (text message) to your mobile phone (cell phone, or handphone) to confirm a transaction. You reply to the SMS to approve the transaction.

It’s a security model called “Two Factor Authentication“. This means you need to be in possession of two “things” for a transaction to be approved. If someone stole your credit card details and made a transaction, e.g. online, you would receive an SMS on your phone and you’d know it was fraudulent. In this case you wouldn’t reply to the SMS and the transaction would be halted. And if you’re making the purchase yourself you can approve your own transaction.

The idea sounds good at first. And of course it has its own set of problems. More interesting is the reasons why these banks have introduced this technology.

Problems:

• Only some transactions are protected using this method. It’s up to the banks but generally it seems that a large number of transactions will continue to function as before. 
• For legitimate purchases it can be a nuisance
• It’s not a foolproof system
• As more people use the SMS option the costs to the bank will increase greatly and they would either end the service or pass on costs to their customers

Here’s an interesting comment published in this ZDNet article. Matthew Woodrow, Head of Information Security at Westpac, was quoted saying “It’s not to do with security at all… consumers have expectations of security levels while using their mobile phones to do their banking. So you’re not thinking about security at all, but you’re thinking about the product and what consumers want”. In other words a large bank’s security expert is admitting that SMS authentication is more about how customers “feel” about safety.

It seems to be a temporary fix to credit card fraud. Smart card technologies (chips embedded in the credit card) seem to be a better solution.

In summary security is often more about how it makes people “feel” rather than truly preventing crimes. It helps to see things for what they really are and not believe what you hear in ads.

Harmful Websites

It seems Possibility Media’s websites have been hacked. There are a few interesting things to learn here. First have a look at the following screenshot:

At the time of writing (28 Oct 2007) if you go to Google’s website and search for the term “possibility media” you’ll get the results shown above. Google found the correct website and if you look closely there’s a warning that “This site may harm your computer“. If you don’t notice this small writing and just click on the link Google will display a large warning spelling out the risks. This is a very nice security feature provided by Google. They use a 3rd party tool to analyse websites for malware and make it difficult for you to load a website that contains harmful code.

The other thing to note is that Possibility Media’s websites have been hacked and contain harmful code. It’s still unclear what damage this can do to your computer (it’s currently being investigated by antivirus companies). Some of their other websites that have also been hacked are:

• webweekmag.com – Web Week Magazine
• itweekmagazine.com – IT Week Magazine
• technologyweekmag.com – Technology Week Magazine
• theinternetstandardmag.com – The Internet Standard
• securitystandardmag.com – Security Standard

Hopefully by the time you read this it would have been cleared up. The purpose of mentioning these websites is to point out that common websites that have completely legitimate businesses behind them are still vulnerable to malicious tampering and that it can affect pretty much everybody.

There are a couple of things you can do about this:

• Use a good antivirus program on your computer. To be effective against this type of attack it needs to do something called “web filtering”.
• Keep your antivirus software updated. This usually requires a paid (yearly) subscription.
• Use an alternative web browser. I haven’t written about this yet but consider using either FireFox or Opera.

Lottery Scams

A reader of FraudO.com, Christoph, has reminded us of a particular type of scam called Lottery Scams, also called a Dutch Lottery or a 419 Scam or a lottery of various other European countries. These scams begin with a letter or email telling the victim they have won a lottery.

The email instructs the victim to contact a “claims agent” to collect their prize money. The agent then sends the victim a claim form to verify their identity. The fake agent is building rapport and making it appear that there’s a real agency behind the emails. The form is in fact used to collect personal information about the victim, such as their passport number and driver’s license number. This is where the identity theft begins.

If the victim asks for some proof of the agency’s legitimacy they often fax back a legal looking document (which of course doesn’t prove anything, it just makes the victim feel more comfortable). This web page has examples of the fax and other documents the scammers send.

The victim is then given some options on how to collect the alleged winnings. In each case the scammer is setting up the victim:

• The winnings can be deposited directly to the victim’s bank account. This seems to be the more popular option. The scammer will request a large fee to make this happen (such as special taxes, insurance or legal fees). The scammer will end up keeping this money.
• The victim has the option to open a new overseas bank account to receive the alleged winnings. The bank is fake, but the victim is told that the bank requires a large deposit to open the account.
• The winnings can be picked up in person, often in The Netherlands. The victim will later be told that they have to pay a fee in cash to release the winnings. The victim is then given counterfeit prize money.

What to do:

1. Don’t reply to the emails (or letters or phone calls). Don’t give the scammer any indication that you exist.
2. Don’t send any money or provide any personal details.
3. Report the scam to your local authorities.

It seems many people are victims of this particular kind of fraud. In most cases the scammers are never caught, and even if they are the money is usually never recovered. Please be aware of how common this scam is and help your colleagues, friends and family to be aware of it.

The scam works because people want to believe it’s real, even if they didn’t enter a lottery in a foreign country. It’s up to everyone to talk openly about it and increase awareness of it.

Adobe Reader Vulnerability

If you use Windows XP and have Adobe Reader version 7 – 8.1 you need to patch it. Use Adobe’s built in patching system to update it.

The vulnerability was discovered last month and there are already exploits that can allow attackers to take over your computer. Interestingly one of the known vulnerabilities was created by a Russian online crime syndicate called RBN (Russian Business Network). They’re responsible for a large amount of online crime.

A bulletin from Adobe is here, for reference.

A Summary On Nigerian Scams

Nigerian scams are so called because the majority of them originate from Nigeria, and they use the same tactic. Below is a brief summary on what it is, why it works, and how large the problem is.

A victim received an email (or sometimes an old fashioned letter) from someone posing as a lawyer. The text contains a story about a large amount of money locked up in a bank account, which gets the reader’s attention, and asks for help in retrieving it. In exchange the pretend lawyer promises a large reward.

The email can contain a statement such as “…In the discharge of my duty, I stumbled on this domiciliary account that has remained dormant for three years now with eight million, five hundred thousand United States dollars ($8.5M) in it…. That my purpose of contacting you is because the deceased has the same name with you…”

What happens next is an exchange of correspondence, with the scammer and victim writing to each other. The story usually becomes emotional and touching, keeping the victim’s attention. Then the victim is asked to hand over some money to help with legal fees. The scammer often sends the victim a cheque as a token of good faith that the money is there. Unfortunately the cheque is fake and the victim’s bank won’t accept it. This is often where the victim realises what’s happened.

This scam has apparently been in use for many years, even before emails became prevalent. It continues to work because the victims are tempted by a large amount of money.

How widespread is the problem? In this British articledated 4 Oct 2007 it states that 4500 fake documents were seized and that US$16.2m of fake cheques were seized. It also states that it costs the UK GBP4.5b every year, though this probably includes law enforcement costs. The problem isn’t limited to the UK either, it’s global.

What can you do? Be aware that this is a common scam and talk about it with anyone unfamiliar with the dangers present on the internet, especially older people. It would also be useful to report such emails (and letters) to your local authorities. A lot of people get arrested for taking part in these scams and any evidence you might have could be useful.

I’ve read articles describing victims that have gone to Nigeria to hunt down the scammer and reclaim their money, and they story ends tragically with murder or kidnapping. If I find these articles again I’ll post them here.

Technical Definitions

This article summarises some terms used to classify all the different threats out there on the internet.

Terms that end with ware:

• Malware – a general term that sums up all of the terms below. 
• Spyware – programs that secretly spy on your computer recording such things as your passwords and sometimes even what’s on your screen.
• Crimeware – a general term for programs that install themselves on your computer for the purpose of committing a crime (such as stealing your money from your bank account). These are usually controlled by hackers.
• Adware – programs that cause your computer to display a large number of ads. They have the side effect of slowing down your computer.
• Trackware – these programs monitor what websites you visit and send statistical data back to a 3rd party (often a marketing company). This is often considered an invasion of privacy.
• Grayware – a general term for malware that is used for marketing (as opposed to committing crimes).

Other terms:

• Spam – unsolicited email.
• Browser Hijacker – a program that changes the settings of your web browser, such as your home page or the error page.
• Freeloaders – any program that installs itself by fraudulent means.
• Browser Helper - often seen as a toolbar for web browsers, such as the Google Toolbar or Yahoo Toolbar. Some of the less well known browser helpers monitor and manipulate your browser.
• Keylogger – a type of spyware that records keystrokes on your keyboard. This will capture your username and password when you log into services.
• Dialer – a program that makes phone calls using your dialup modem without your permission. Often to expensive premium phone services.
• Zombie – a computer that has a hidden program allowing a hacker to take it over at any time.
• Botnet – a large collection of zombie computers. Hackers sometimes need to control lots of computers at once to cause some of the trouble they cause.
• Vulnerability – Almost all programs have vulnerabilities. Sometimes it takes days and other times it can take years for someone to find a vulnerability. They can then be exploited, e.g. to take control of computers.
• Zero Day Exploit – when a vulnerability is discovered in any program, if hackers can exploit it on the same day it’s been discovered it’s called a zero day exploit. This means software and antivirus companies have less than 1 day to discover the exploit and update their software to combat it – often a difficult thing to achieve.
• Phishing – the practice of tricking users into going to a login page that looks legitimate but sends login details to the hackers.
• Cookies – these aren’t bad, they’re used so web pages can remember you. Some people consider this an invasion of their privacy.

This is only a small set of technical terms used to describe online security threats, most of the others are advanced and relevant to professional IT workers. The descriptions have also been simplified because this is an introduction to security.

Stock fraud using MP3 files

This is a fairly new tactic used by spammers. If you frequently download MP3 files (hopefully only those you have permission to download) sooner or later you might unknowingly download a file that doesn’t contain music but instead has a recorded message.

The message is computer generated, so it doesn’t sound human at all. And it tells you to invest in particular shares, called “penny stocks”. Obviously you’d be crazy to take financial advice from an audio spam you accidentally downloaded (in other words, delete the file and don’t buy their shares).

There isn’t much you can do at this stage to avoid it, other than taking care to download audio MP3 files from reputable (and legal) sources. I expect antivirus or antispam filters to quickly start checking audio files as well as the usual emails.

For now it’s being called “MP3 spam” by the media, we’ll see how this one evolves.

• About

  Read the latest articles shown on the left, and use the options below to search for past articles. FraudO.com is committed to educating all users on the dangers of the internet and how to avoid them.

• Email Subscription

  Enter your email address:

  Delivered by FeedBurner

• Sponsored Ads:

  • Anastasia International Scam

• Recently Written

  • Emails That Ask You To Run An Attachment
  • Fake Virus Scan
  • Smileworld Scam
  • Infected Samsung S8500 Wave SmartPhones
  • Facebook Password Reset (Virus)
  • Free $1000 Ikea Gift Card Scam
  • Phishing emails from Skype
  • Passwords Compromised on JIRA, Bugzilla & Confluence
  • Admin update
  • McAfee Stinger
  • Another Scam Job
  • ICS Monitoring Team
  • Facebook Groups And Toolbars
  • An Interview with a Nigerian Internet Scammer
  • Fake CUA Email

• Categories

  • Admin
  • Antivirus
  • Backups
  • Fraud
  • General
  • hoax
  • Identity Theft
  • Malware
  • News/Media
  • Phishing
  • Privacy
  • Scams
  • Security
  • Software
  • Statistics
  • Uncategorized

• Archived Articles

  Select Month July 2010  (2) June 2010  (2) April 2010  (5) March 2010  (3) February 2010  (5) January 2010  (11) December 2009  (1) November 2009  (2) October 2009  (4) September 2009  (10) August 2009  (9) July 2009  (7) June 2009  (20) May 2009  (15) April 2009  (12) March 2009  (10) February 2009  (14) January 2009  (10) December 2008  (10) November 2008  (3) October 2008  (7) September 2008  (5) August 2008  (11) July 2008  (17) June 2008  (8) May 2008  (17) April 2008  (23) March 2008  (22) February 2008  (20) January 2008  (31) December 2007  (17) November 2007  (21) October 2007  (11) September 2007  (5)

• Affiliates

• Spam Blocked

  32,952 spam comments blocked by
  Akismet

• Stats